1 Reply Latest reply on Nov 21, 2011 5:21 PM by John Baker


    John Baker Newbie

      The PicketLink KeyStoreKeyManager class contains this code:


         public void setAuthProperties(List<AuthPropertyType> authList) throws TrustKeyConfigurationException,



            for (AuthPropertyType auth : authList)


               this.authPropsMap.put(auth.getKey(), auth.getValue());



            this.keyStoreURL = this.authPropsMap.get(KEYSTORE_URL);

            this.keyStorePass = this.authPropsMap.get(KEYSTORE_PASS);


            this.signingAlias = this.authPropsMap.get(SIGNING_KEY_ALIAS);


            String keypass = this.authPropsMap.get(SIGNING_KEY_PASS);

            if (keypass == null || keypass.length() == 0)

               throw new RuntimeException(ErrorCodes.KEYSTOREKEYMGR_NULL_SIGNING_KEYPASS);

            this.signingKeyPass = keypass.toCharArray();



      I'm not sure the lines in bold are correct. It is enforcing a password on an alias within the keystore, but the alias password can be the password of the keystore, and I note:


               publicKey = null;
                  publicKey = KeyStoreUtil.getPublicKey(ks, domainAlias, this.keyStorePass.toCharArray());
               catch (UnrecoverableKeyException urke)
                  //Try with the signing key pass
                  publicKey = KeyStoreUtil.getPublicKey(ks, domainAlias, this.signingKeyPass);


      Which suggests that the signingKeyPass is optional. Perhaps that exception can be removed for clarity?

        • 1. Re: KeyStoreKeyManager
          John Baker Newbie

          Ignore this post. Further testing reveals the keystore password must be passed if a signing alias password not set in this code:


                   return (PrivateKey) ks.getKey(this.signingAlias, this.signingKeyPass);


          Maybe if the signing key password is not passed in the configuration, the keystore password should be taken instead?